XSS (Cross-Site Scripting)

Cross-Site Scripting (XSS) is a security gap, which appears when an attacker executes HTML, JavaScript, VBScript code in your application. As a result, the attacker can steal session cookies, passwords or crash the page. XSS is one of the most serious and common attacks of WEB applications. Protection from XSS attacks is especially important for external pages, as in internal pages only a limited number of users have access (but they are still at risk).

Example (vulnerable):

Apex controller:

1

2

3

4

5

6

publicclassDemoXSS{

publicStringstrXSS{get;set;}

publicDemoXSS(){

strXSS=‘alert(document.cookie);’;

}

}

VP Page:

1

2

3

4

5

6

7

8

9

<apex:page controller=”DemoXSS”>

<script type='text/javascript'>

functiondemoXSS(){

{!strXSS}

}

</script>

<input type="button"onclick="demoXSS();"/>

</apex:page>

As a result, the JavaScript code is executed and obtains information about a certain cookie. The variable strXSS can contain anything and therefore cause irreversible damage.

In order to avoid such a danger, characters need to be encoded. For example if the variable ‘strXSS’ is used in the context of HTML then the characters ‘<’ and ’>’ are equivalent to ‘&lt;’ and ’&gt;’ accordingly. In the context of Javascript these characters are equivalent to ‘\u003C’ and ’\u003E’ (link).

The Salesforce platform provides the following VisualForce encoding functions:

In the component
<apex:outputText> we set up the attribute
escape=false and exactly this makes the output vulnerable.

Note: Salesforce makes sure to reduce these vulnerabilities, so pages that are built with Apex and VisualForce are protected against XSS and sets by default
escape="true" in the components, which can execute JavaScript.

Controller:

1

2

3

4

5

6

publicclassDemoXSS{

publicStringstrXSS{get;set;}

publicDemoXSS(){

strXSS=‘<script>alert(1);</script>’;

}

}

VF Page:

1

2

3

<apex:page controller=”DemoXSS”>

<apex:outputTextescape="false"value=”<i>Hello{!strXSS}</i>”>

</apex:page>

As a result, only the word «Hello» will be italic and the JavaScript code is executed, which displays a pop-up message (‘alert’ command).